GDPR was written to protect customer data from centralised entities - where does decentralised technology fit in?

The General Data Protection Regulation (GDPR) comes into effect in the EU next month. This new law is a major change, which revamps personal data protection for EU citizens and establishes a new set of ‘digital rights’.

However, an article in Diar points out that the law has apparently been written without taking blockchain technology into account at all – and there is a serious question as to whether an immutable blockchain can function without violating EU rules.

Data protection

GDPR extends data protection for EU citizens in a number of ways that could be considered incompatible with bnlockchain technology:

Firstly, it extends the protection of EU citizens to foreign companies that process their data and mandates the existence of a data protection officer at all firms that handle relevant data – meaning that non-EU cryptocurrency exchanges will suddenly find that many of their customers now come with a few too many strings attached.

The new law codifies the right of individuals to request that their data be deleted – but the whole point of a blockchain is that data cannot be deleted.

It orders that citizens be kept informed of how their data is being used and all decisions made on their behalf – but in many cases, decisions are made automatically by a smart contract.

Penalties for non-compliance are steep – four percent of a company’s annual revenue (or up to 20 million euros) can be levied in case of misconduct.

Some believe that this new law is fundamentally inconsistent with the cryptocurrency industry. Jerry Brito, Executive Director of Coin Center, a Washington-based non-profit cryptocurrency advocacy research organisation, said: “The result of the law…may be that Europe is closing itself off from the future of the Internet to its detriment.”

What is personal data?

The European Commission defines personal data as “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”

Suggested articles

Does a private key fall under this definition, for example? Brian Behlendorf, Executive Director of Hyperledger, thinks not; he told Diar: “The point of a public key is to intentionally share it so other participants can verify the signature. There isn’t something that it reveals about person unlike other Personally Identifiable Information (PII) like IP addresses.”

Others disagree. Tim Swanson, former Director of Market Research at R3, said: “From a theoretical and academic standpoint, it makes sense that public keys could be personal data because they are connected to specific persons. Therefore, they can violate GDPR. However, this has not been tested in court yet so there is no concrete answer.”

Tanya Moeller and Simon Schwerin of the Blockchain Association of Ireland, writers of a report on the subject published in June 2017, told Silicon Republic: “As usual, technological innovations challenge the manner in which laws are applied.”

Private keys are only one of the possible issues. The new law orders that pseudonymous data be stored separately from real data. The outlawing of anonymous transactions blockchain is not exclusive to the EU; similar laws have been passed by South Korea and Bangladesh, while in Malaysia, Japan and the US, cryptocurrency exchanges are required to verify users’ identities – Japan recently came down hard on Binance for not confirming its customers’ identities. Meanwhile, Israel is getting ready to tax cryptocurrency users on their gains.

In fact, anonymity (or rather, pseudonymity) is not a central facet of blockchain technology. However a large part of the attraction of cryptocurrency is that it gives people the option of bypassing the traditional financial system, and to that end pseudonymity is vital. This is one reason why coins like Monero are becoming so popular.

One company is working on an editable blockchain – Accenture points out that by doing this it will be one of the few companies that can be compliant with GDPR. But this raises an interesting discussion as to what a blockchain is, and if a blockchain has any worth if it can be altered.

Diar points out that the new laws were written to protect people from centralised services that control their data. But these laws were written in 2015 and adopted in April 2016, and during the two-year transition period, the cryptocurrency industry has become more significant than anyone could have guessed back then.

“The GDPR presumes that there will be central intermediaries that can ‘erase’ information, but the world is trending toward ever more decentralized and immutable technologies,” said Brito.